package eu.emi.security.authn.x509.impl;

import eu.emi.security.authn.x509.helpers.CertificateHelpers;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.cert.Certificate;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import java.util.regex.Pattern;
import javax.net.ssl.HandshakeCompletedEvent;
import javax.net.ssl.HandshakeCompletedListener;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.x500.AttributeTypeAndValue;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x500.style.IETFUtils;
import org.bouncycastle.util.IPAddress;

/* loaded from: input_file:eu/emi/security/authn/x509/impl/AbstractHostnameToCertificateChecker.class */
public abstract class AbstractHostnameToCertificateChecker implements HandshakeCompletedListener {

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:eu/emi/security/authn/x509/impl/AbstractHostnameToCertificateChecker$ResultWrapper.class */
    public static class ResultWrapper {
        private boolean result = false;

        protected ResultWrapper() {
        }
    }

    @Override // javax.net.ssl.HandshakeCompletedListener
    public void handshakeCompleted(HandshakeCompletedEvent handshakeCompletedEvent) {
        try {
            Certificate[] peerCertificates = handshakeCompletedEvent.getPeerCertificates();
            if (peerCertificates == null || peerCertificates.length == 0) {
                processingError(handshakeCompletedEvent, new Exception("JDK BUG? Got null or empty peer certificate array"));
                return;
            }
            if (!(peerCertificates[0] instanceof X509Certificate)) {
                processingError(handshakeCompletedEvent, new ClassCastException("Peer certificate should be an X.509 certificate, but is " + peerCertificates[0].getClass().getName()));
                return;
            }
            X509Certificate x509Certificate = (X509Certificate) peerCertificates[0];
            String hostName = handshakeCompletedEvent.getSocket().getInetAddress().getHostName();
            try {
                if (!checkMatching(hostName, x509Certificate)) {
                    nameMismatch(handshakeCompletedEvent, x509Certificate, hostName);
                }
            } catch (Exception e) {
                processingError(handshakeCompletedEvent, e);
            }
        } catch (SSLPeerUnverifiedException e2) {
            processingError(handshakeCompletedEvent, new Exception("Peer is unverified when handshake is completed - is it really an X.509-authenticated connection?", e2));
        }
    }

    protected abstract void nameMismatch(HandshakeCompletedEvent handshakeCompletedEvent, X509Certificate x509Certificate, String str) throws SSLException;

    protected void processingError(HandshakeCompletedEvent handshakeCompletedEvent, Exception exc) {
        throw new IllegalStateException("Error occured when verifying if the SSL peer's hostname matches its certificate", exc);
    }

    public boolean checkMatching(String str, X509Certificate x509Certificate) throws CertificateParsingException, UnknownHostException {
        ResultWrapper resultWrapper = new ResultWrapper();
        return checkAltNameMatching(resultWrapper, str, x509Certificate) ? resultWrapper.result : checkCNMatching(str, x509Certificate);
    }

    protected boolean checkAltNameMatching(ResultWrapper resultWrapper, String str, X509Certificate x509Certificate) throws CertificateParsingException, UnknownHostException {
        Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
        if (subjectAlternativeNames == null) {
            return false;
        }
        boolean isValid = IPAddress.isValid(str);
        boolean z = false;
        for (List<?> list : subjectAlternativeNames) {
            int intValue = ((Integer) list.get(0)).intValue();
            if (intValue == 2) {
                z = true;
                if (!isValid && matchesDNS(str, (String) list.get(1))) {
                    resultWrapper.result = true;
                    return true;
                }
            } else if (intValue == 7 && isValid && matchesIP(str, (String) list.get(1))) {
                resultWrapper.result = true;
                return z;
            }
        }
        return z;
    }

    protected boolean checkCNMatching(String str, X509Certificate x509Certificate) {
        X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
        if ("".equals(subjectX500Principal.getName())) {
            return false;
        }
        String mostSpecificCN = getMostSpecificCN(subjectX500Principal);
        if (mostSpecificCN == null) {
            return false;
        }
        int indexOf = mostSpecificCN.indexOf(47);
        if (indexOf >= 0) {
            mostSpecificCN = mostSpecificCN.substring(indexOf + 1, mostSpecificCN.length());
        }
        return matchesDNS(str, mostSpecificCN);
    }

    protected static boolean matchesDNS(String str, String str2) {
        return Pattern.compile(makeRegexpHostWildcard(str2), 2).matcher(str).matches();
    }

    public static String makeRegexpHostWildcard(String str) {
        String[] split = str.split("\\*");
        StringBuilder sb = new StringBuilder();
        if (str.startsWith("*")) {
            sb.append("[^\\.]*");
        }
        for (int i = 0; i < split.length; i++) {
            sb.append(Pattern.quote(split[i]));
            if (i + 1 < split.length) {
                sb.append("[^\\.]*");
            }
        }
        if (str.endsWith("*")) {
            sb.append("[^\\.]*");
        }
        return sb.toString();
    }

    protected boolean matchesIP(String str, String str2) throws UnknownHostException {
        return Arrays.equals(InetAddress.getByName(str).getAddress(), InetAddress.getByName(str2).getAddress());
    }

    public String getMostSpecificCN(X500Principal x500Principal) {
        String str = null;
        for (RDN rdn : CertificateHelpers.toX500Name(x500Principal).getRDNs()) {
            if (!rdn.isMultiValued()) {
                AttributeTypeAndValue first = rdn.getFirst();
                if (first.getType().equals(BCStyle.CN)) {
                    str = IETFUtils.valueToString(first.getValue());
                }
            }
        }
        return str;
    }

    static {
        CertificateUtils.configureSecProvider();
    }
}
